Write Down All Your Passwords?

Today, at The Register, there’s a story of some dude who is supposed to be a “security guru”. He tells you to write down all your passwords and keep it in your purse or wallet*. This topic was previously covered over on Slashdot.

This goes against years of generally-accepted, indelibly-ingrained password (and bank ATM PIN) personal policy: Never write down your password! It’s too easy for someone to hack your shit if they see it on a Post-It note on your computer! Or in your wallet* if it’s stolen! Given that it’s monumentally idiotic to use the same password for even two of your online logins (much less all of them), then it does kind of make sense to write them all down so you can keep track of what goes where, and when.

Then again, I solved this problem about two and a half years ago. Basically, keep a single text file with all your userIDs and passwords in encrypted format (nowadays using an OS X-native encrypted disk image), and lock it down with a strong password that you’ll remember. It should be easy to remember just ONE really-hard-to-guess password to gain access to all your others, right? If not, you’re either a simpleton, or a Windows user.

* Everytime I hear, think of, or say the word wallet, I automatically think of Lech Walesa, leader of the Polish Solidarity movement in the ’80s. Don’t ask me why, b/c I have no fucking clue; it just happens.

It encourages strong passwords, and there are a lot more people out sniffing wires than snooping for post-it’s stuck to monitors. We have not officially started enforcing strong passwords on non-PCI (er, payment card industry) customers, but we’re going to have to, soon, and the burden of service and support will go up by astronomical orders of magnitude as soon as users are disallowed from having their password be their first name. The trick is to get a strong system for hiding the written down password…

Schneier is the man. He invented the Solitaire cryptosystem from Cryptonomicon, you know. Your system is less user-friendly but simiar to his PasswordSafe app – why it’s not been ported to Mac for point-and-drool goodness, I don’t know.